Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

If you are using an older internet browser, new security restrictions mean that from Thursday, 7 June 2018, you may no longer be able to access our website. You will need to update your browser or use an alternative one. We apologise for the inconvenience but some older browsers are no longer secure enough for use on our website. Find out more here.

Making apps that don't suck too much
Charles Mabbett
1 August 2014

Apps can be convenient and fun to use. It is a world of incredible choice but one that also sets off privacy alarm bells. When a New Zealand news media organisation upgraded its app for Android phones earlier this year, one person was concerned enough to contact us.

The man said he had questions about why the app sought consent for some types of privacy permissions before it was downloaded onto a phone. The app asked for access to a number of data sources on his phone that he found “concerning and inappropriate” because it made no attempt to explain the reasons why it collected the data, or how it planned to protect that personal information.

Included among the permissions was access to a user’s social information such as the contacts list and the call log, access to the phone’s web browser history, and the app’s capacity to connect and disconnect the device from local Wi-Fi.

The man’s unease highlighted concerns around principles 1-5 of the Privacy Act. He said there was no justification given as to why those permissions were sought, and no assurance that the data would be secure or how it would be used.

The man believed the app’s permissions fell short of the expectations set out above. He had written to the media organisation for an explanation of the permissions and for a copy of the organisation’s data security provisions. When he did not get a response, he contacted us, although he was reluctant to make a formal complaint.

We decided to begin our own investigation into the app. Soon after, the man informed us he had heard back from the media organisation which said it had removed the contentious permissions from the app. Given that the news organisation had changed the app, we decided not to notify it of our investigation and we took no further action.

The case highlighted for us the growing fears about mobile apps and the range of permissions they seek. We decided we had to do more work at all sections of the app development spectrum - from the people who make them, the businesses that market them, to the consumers that use them.

We recently published our online Need to Know or Nice to Have guide for businesses and mobile app developers. You can find it here. The Asia Pacific Privacy Authorities (APPA) – an international privacy network that we belong to – also promoted the issue during Privacy Week in May with a ‘protect your privacy on your mobile device’ theme.

At the International Conference of Data Protection and Privacy Commissioners in Warsaw, Poland, last year, a resolution about the ‘appification’ of society was passed. It observed that app developers “are often unaware of the privacy implications of their work and unfamiliar with concepts like privacy by design and default”.

Smartphones have only been with us for a short time but millions have now been sold around the world. Some estimates are that there are nearly two billion smartphones in people’s hands and one in five people have at least one. The number of mobile apps has grown exponentially. It was estimated there were six million apps available in 2013 - a number that is growing by 30,000 a day.

Here’s the thing. Apps access and use your personal information and many will send it on to third parties. It is up to privacy regulators to remind app developers of their privacy obligations. Consumers, on the other hand, need to be mindful of the terms and conditions that come with apps - in many cases these might be more than they seem.

Comments

No one has commented on this page yet.

Post your comment

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.